ClawHub

Insta Content Engine

Security checks across malware telemetry and agentic risk

Overview

The skill is coherent, but needs Review because it can post publicly to social accounts and handles passwords/session files without enough safeguards.

Install only if you are comfortable giving this skill access to real social accounts and API keys. Use a dedicated or low-risk account, prefer environment variables or a secret manager over command-line passwords, review every caption and media file before posting, avoid running it on untrusted prompts or untrusted queries, and remove ~/.openclaw/ig_session.json when you no longer need the Instagram session.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs use of environment-backed secrets and networked tools, but does not declare corresponding permissions or provide an explicit trust boundary. That increases the chance an agent or user will run credentialed network operations without realizing the skill can access API keys, account credentials, and external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior materially differs from the stated purpose: it relies on Brave Search and Instagram credentials, suggests posting capabilities that are not fully implemented for X, and describes generalized trending/editorial behavior that appears narrower or absent in code. This mismatch can mislead users into granting secrets, approving publishing steps, or trusting safety properties the skill does not actually satisfy.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill provides direct posting commands for public social accounts without an explicit warning that execution can publish irreversible content to user-controlled accounts. In an agent setting, this can lead to accidental or unauthorized posting, reputational harm, and misuse of authenticated sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill asks for API keys and Instagram username/password credentials but does not include a user-facing warning about secret handling, storage, or exposure risk. This encourages unsafe secret provisioning practices and may cause users to place sensitive credentials into environments or tooling without adequate safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs a real publishing action to Instagram immediately once credentials and media are supplied, without any interactive confirmation, dry-run mode, or explicit safety gate. In an agent skill context, this is risky because a mistaken prompt, compromised upstream workflow, or malicious automation could cause unintended public posting to an account.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Allowing Instagram passwords to be passed via --password exposes secrets through shell history, process listings, job logs, and orchestration telemetry. In agent or multi-user environments this significantly increases the chance of credential disclosure and downstream account compromise.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal